Attachment: LNK with embedded content

calendar Aug 21, 2023 · Malfam: Emotet  ·
Share on: linkedin copy

Emotet has been observed to embed executable content within an LNK file to deliver and execute VBScript when launched.

Similar research has demonstrated how this concept may be applied to deliver and launch an embedded executable via PowerShell.

Sublime rule (View on GitHub)

 1name: "Attachment: LNK with embedded content"
 2description: |
 3  Emotet has been observed to embed executable content within an LNK file to deliver and execute VBScript when launched.
 4
 5  Similar research has demonstrated how this concept may be applied to deliver and launch an embedded executable via PowerShell.  
 6references:
 7  - "https://forensicitguy.github.io/shortcut-to-emotet-ttp-change/"
 8  - "https://www.x86matthew.com/view_post?id=embed_exe_lnk"
 9type: "rule"
10authors:
11  - twitter: "ajpc500"
12severity: "high"
13source: |
14  type.inbound
15  and (
16    any(attachments,
17        .file_extension == "lnk"
18        and any(file.explode(.),
19                .file_extension =~ "lnk"
20                and any(.scan.exiftool.fields, (.key == "TargetFileSize" and .value == "0"))
21                and any(.scan.exiftool.fields,
22                        (
23                          .key == "CommandLineArguments"
24                          and strings.ilike(.value, "*findstr*", "*sc $path*", "*Set-Content*")
25                        )
26                )
27        )
28    )
29  )  
30tags:
31  - "Malfam: Emotet"
32attack_types:
33  - "Malware/Ransomware"
34tactics_and_techniques:
35  - "Exploit"
36  - "LNK"
37  - "Scripting"
38detection_methods:
39  - "Content analysis"
40  - "Exif analysis"
41  - "File analysis"
42id: "41452f7a-c77d-5259-a5fb-91b1b4419364"
to-top